Mythbusting: on security and why we’re still using Zoom

April 29, 2020

April 29, 2020

Amidst its general path of destruction, coronavirus has blessed only a select few industries in lockdown (we’re looking at you baking supply companies) and fewer still have experienced a rise as meteoric as Zoom.

In the month of March, the video conferencing software jumped from 10 million to 200 million daily users. Everyone from politicians to pick-up football leagues is hosting Zoom chats making a moderately well-known company into a household name and an integrated part of our lives.

But this rapid expansion has brought media scrutiny with it. The past few weeks the news has been littered with stories of Zoom security breaches and questions around its reliability and safety. We’re unpacking a few of the myths behind these reports and explaining why we, as a cyber security company, are still on the Zoom bandwagon.

Some technical stuff

First, almost all conferencing software, including Zoom, uses HTTPS/TLS- an encryption protocol that protects communications on the internet. It’s the same protocol your bank uses when you login online or via an app. The information is encrypted from you to the servers of the provider, and then re-encrypted from the provider to you via a similar secure link.

Should the government be using Zoom to convey top secret information? Probably not. Is it fine for communicating openly with your team? Absolutely.

Basically, services like Zoom that use this encryption are inherently quite secure. Should the government be using Zoom to convey top secret information? Probably not. Is it fine for communicating openly with your team? Absolutely.

Security versus privacy

These two terms are very often and quite easily confused. Security protects strangers from unauthorised access to your data. Privacy has to do with the safeguarding of your identity. You can have security without privacy but not privacy without security.

The first wave of Zoom ‘security’ concerns was really about privacy and their collection of personal data of users. They have since updated their privacy policy to prevent anyone including Zoom employees from directly accessing data that users share during meetings including their names, and video/audio/chat recordings. “Importantly,” a Zoom spokesperson adds, “Zoom does not mine user data or sell user data of any kind to anyone.” While they don’t sell or share data with third parties, they do use Google Ads and Google Analytics.

If you really care about security

If you really care about security there are a few things you should always keep in mind when using videoconferencing.

First, use a unique password. According to a recent report, 71% of accounts are protected by passwords used on multiple websites. One of Zoom’s highest profile ‘breaches’ was actually just a breach on another platform for which users had been using the same password thus opening them up to further attack.

71% of accounts are protected by passwords used on multiple websites.

Second, update your operating system and keep your video conferencing software up-to-date. This will mean any patches or protection by the company will be in place on your device. Alternatively, you can use a browser rather than a separate app which are less vulnerable to attack.

If you want to use Zoom there are some settings you can activate for enhanced protection and privacy. These include the option to watermark all content, and restricting meetings to people with a certain email domain (xxx@cybersmart.co.uk). ‘Zoom bombing’ (allowing random people to enter your calls) is prevented by requiring your attendees to use a password to join a meeting.

We don’t recommend recording meetings unless you’re happy with them eventually making the papers but if you must, you can choose to store them locally rather than on the cloud.

If you really, really care about security

If you work in an industry with incredibly sensitive data that requires end-to-end encryption, Zoom may not be the service for you. They don’t truly offer this but there are a few others that do. You might consider using Wire or Webex (this is what we use to conduct remote security audits for Cyber Essentials Plus certification).

Video conferencing is a must in the remote workplace but there are a few factors to consider when deciding which service to use. The National Cyber Security Centre offers some great guidance on this.

As always, remember that the majority of cyber attacks can be prevented through basic cyber hygiene and the guidelines covered in the government’s Cyber Essentials scheme.